(19) 



J 



Europaisches Patentamt 
European Patent Office 
Office europeen des brevets 




(12) 



(43) Date of publication: 

12.12.2001 Bulletin 2001/50 

(21) Application number 01112723.0 

(22) Date of filing: 25.05.2001 



(n) EP 1 162 531 A2 

EUROPEAN PATENT APPLICATION 

(51) Intel. 7 : G06F 1/00 



(84) 


Designated Contracting States: 


• Kozel, Ronald J. 




AT BE CH CY DE DK ES Fl FR GB GR IE IT LI LU 


Redondo Beach, CA 90278 (US) 




MC NL PT SE TR 


• Bixler, David C. 




Designated Extension States: 


Hermosa Beach, CA 90254 (US) 




AL LT LV MK RO SI 








(74) Representative: Schmidt, Steffen J., Dipl.-lng. 


(30) 


Priority: 09.06.2000 US 589747 


Wuesthoff & Wuesthoff, 


Patent- und Rechtsanwalte, 


(71) 


Applicant: TRW Inc. 


Schwelgerstrasse 2 


Redondo Beach, California 90278 (US) 


81541 MQnchen (DE) 


(72) 


Inventors: 




• 


Siegel, Neil G. 






Rancho Palos Verdes, CA 90275 (US) 





(54) 



security and survivability 



(57) A system, method and computer program that 
administers access and security on a network having 
more than one computer system connected thereto. 
This system, method and computer program has a local 
password file (1500) which is one-way encrypted and 
contains user identifications, associated one-way en- 
crypted passwords and associated privileges for each 
authorized user allowed access to the wide area net- 
work (1 0). A user login module (1 200) is used to receive 
a user identification or role and password from a user 
and login the user when a match is found in the local 
password file (1500). A channel monitoring and filtering 
module (1000) is provided to monitor and receive broad- 
cast or multicast messages within the wide area network 



(10) and display the message to the user when the us- 
er's associated privileges permit the viewing of the mes- 
sage. This system, method and computer program also 
has a password management module (1300) to update 
and insure that all the computers in the network contain 
the same local password file (1500). A remote auditing 
module (1400) is provided to monitor and process 
anomalous events which may occur on a user's compu- 
ter. A remote control module is also provided to enable 
a systems administrator or security officer to take ap- 
propriate action when a critical event transpires. An au- 
thentication module is also provided to enable a system 
administrator or security officer an option to check and 
confirm a password entered by a user for reauthentica- 
tion. 
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Description 

Field of the Invention 

[0001] The invention relates to a system and method 
for network access and control enabling high availability, 
security and survivability. More particularly, the inven- 
tion employs a system, method and computer program 
to allow access to and control of a distributed network 
over a low band width communications media while 
keeping communications traffic over the communica- 
tions related to access and control to a minimum. 

Background of the Invention 

[0002] Overthe relatively short history of the computer 
industry dramatic changes have occurred . The most sig- 
nificant of these changes has been the incredible drop 
in hardware prices along with the equally incredible im- 
provement in performance, reliability, size and rugged- 
ness of computer hardware. The reliability and perform- 
ance of computers have improved to the point where the 
military is able to place computers in each individual 
combat vehicle. In this manner a wide area network of 
computers is formed which may be used to receive or- 
ders and other mission critical data, such as the position 
of enemy and friendly troops, as well as their move- 
ments. However, implementing security on such a wide 
area network is a difficult undertaking. One of the many 
challenges is the sheer size such a network may take. 
Thousands of nodes of various types of computers may 
have access to the network. Further, most users may 
be authorized to receive only a portion of the data being 
transmitted over such a network. Still further, since the 
network operates over a battlefield, the use of cable to 
enable high-speed communications is out the question. 
Only radio or microwave communications methods 
could be utilized either directly, or via a satellite system. 
However, the use of radio or microwave communica- 
tions limits the speed at which data may be transmitted 
overthe network. Even when a high-speed cable-based 
network is utilized, due to the large number of nodes on 
a network, it is still imperative to keep administrative da- 
ta traffic to an absolute minimum. 
[0003] In addition to the communications issues, a 
significant security issue exists. Most soldiers in the field 
that would have access to the system would not be au- 
thorized ("cleared") to receive most of the information 
traveling across the network. Of those individuals on the 
network that are cleared to receive classified informa- 
tion, not all would be at the same level of security clear- 
ance. Therefore, mechanisms have been attempted 
that partition the network into a multilevel security sys- 
tem. However, these multilevel systems are often com- 
plex, expensive, require large amounts of the available 
bandwidth in to order function properly, and are very 
man-power-intensive to administer. Therefore, imple- 
menting such a multilevel security system on a battle- 



field over a relatively low bandwidth communications 
system is not possible. This is further compounded by 
the fact that in a battle, vehicles may be captured. If the 
enemy could tap into the battle plans and troop move- 

5 ments of our forces, it would provide the enemy with a 
tremendous advantage in a battle. 
[0004] It should be noted that many of the same prob- 
lems encountered by the military in implementing a large 
wide area network are also experienced by major cor- 

10 porations having tens of thousands of employees all 
with their own personal computers connected worldwide 
over a wide area network. Most employees in a corpo- 
ration fall into the same category as most soldiers in the 
field. Namely, most employees have no need or require- 

15 ment to access all of the information on a wide area net- 
work. Further, most corporations have competitors 
which are both domestic and foreign and who could ben- 
efit from inside information relating to new products in 
development and bids being issued by the corporation. 

20 Therefore, in both military and commercial applications 
it is vital to enable authorized personnel access to re- 
quired information quickly and easily, while blocking ac- 
cess to unauthorized individuals. These unauthorized 
individuals may include enemy troops, competitors, or 

25 the ubiquitous hacker. As noted by recent denial-of- 
service attempts and the email virus/worm infiltration of 
corporate computers, a hacker may cost businesses bil- 
lions of dollars in wasted effort and loss of valuable in- 
formation. Further, a business can be ruined by a hacker 

30 or disgruntled employee accessing customer credit card 
(or similar) information and publishing it on the world- 
wide web. 

[0005] Beyond the use of multilevel security systems, 
the primary method of providing security has been 

35 through the use of a password access method. In such 
a password-based system, a user would be denied ac- 
cess to a computer system or a network in the event that 
the proper password associated with the user was not 
entered. Typically, a single password file would be 

40 stored on a server in a local area network, and upon 
start-up of a particular computer system on that local 
area network, the user ID and password would be 
checked against those in the server. This works well 
when the number of potential users is relatively small 

45 and substantial band width is available for users to si- 
multaneously logon. However, where a large number of 
users attempt to logon to the system simultaneously, ac- 
cess to the single password file would form a bottleneck 
in the system. Further, the necessity that users must al- 

50 ways log into a single server on the network, in order to 
gain access, makes the server a single point of failure. 
Failure could lockout users throughout the network. Us- 
er's passwords are conventionally either transferred to 
the server over the network in clear text (unencrypted), 

55 where they are vulnerable to be discovered by an ad- 
versary, or they are encrypted in transit but saved in 
clear text on the server. Thus, the server becomes a tar- 
get in the battlefield for conventional warfare, as well as 
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cyber warfare applicable to both the military and com- 
mercial enterprises. 

[0006] In an attempt to alleviate the formation of a bot- 
tleneck in a large network, passwords for individual us- 
ers have been stored on their local machines. Upon 
start-up of the local computer, the user would log onto 
his assigned computer system and enter his password. 
Failure to provide such a password would prevent ac- 
cess to that individual computer. This eliminates the 
overhead associated with a central password file, but it 
restricts each user to using only the particular comput- 
ers on the network assigned to them. If a computer fails, 
the employee may not use another employee's compu- 
ter in order to complete his assigned tasks. Thus, re- 
sources are wasted. 

[0007] Therefore, what is needed is a system, meth- 
od, and computer program that will provide a high de- 
gree of security for a local and wide area network, while 
keeping administrative communications traffic required 
to implement security to an absolute minimum. Further, 
this system, method, and computer program must block 
access to unauthorized users and users without the 
proper security clearance. In addition, a user must be 
able to logon to any computer system in the network and 
be able to receive messages and access information for 
the particular user or his role in the organization. The 
security system must also prevent an unauthorized user 
from accessing passwords for other users on the system 
even when the unauthorized user has complete access 
to a particular computer on the network. Also, this se- 
curity system must enable a security officer or systems 
administrator to remotely disable a computer which has 
fallen (or is suspected of having fallen) into an unauthor- 
ized user's hands. 

Summary of the Invention 

[0008] An embodiment of the present invention pro- 
vides for a method of administering access and security 
on a network having a number of computers. This meth- 
od begins by installing a local password file containing 
one-way encrypted passwords on each computer in the 
network. This local password file includes several user 
identifications, associated one-way encrypted pass- 
words and associated privileges for each authorized us- 
er allowed access to the computers on the network. The 
one-way encryption occurs on a password entered by a 
user when the user logs into a computer on the network. 
The one-way encrypted password entered by the user 
is checked against the one-way encrypted passwords 
stored in the password file. Access is enabled to data 
and software contained on the computer and the net- 
work, permitted by the associated privileges for the user, 
when a match is found on the password file containing 
one-way encrypted passwords. Filtering occurs and dis- 
playing messages to the user, permitted by the associ- 
ated privileges, when a match is found on the password 
file containing one-way encrypted passwords. 



[0009] Further, an embodiment of the present inven- 
tion creates a system to administer access and security 
on a network having several computers. This system 
has a password file containing one-way encrypted pass- 

5 words, on each computer in the network. The password 
file includes several user identifications, associated 
(one-way encrypted) passwords and associated privi- 
leges for each authorized user allowed access to the 
computer and the network. This system also has a user 

10 login module to receive a user identification, or role, and 
password from a user and login the user when a match 
is found in the password file containing one-way en- 
crypted passwords. Still further, the system also has a 
channel monitoring and filtering module to monitor and 

15 receive broadcast or multicast messages within the net- 
work and display a message to the user when the user's 
associated privileges permit the viewing of the mes- 
sage. 

[0010] Still further, an embodiment of the present in- 

20 vention is a computer program executable by a compu- 
ter and embodied on a computer readable medium to 
administer access and security on a network having 
several computers. This computer program has a pass- 
word file containing one-way encrypted passwords on 

25 each computer in the network. The one-way encrypted 
password file includes several user identifications, as- 
sociated (one-way encrypted) passwords and associat- 
ed privileges for each authorized user allowed access 
to the computer and the network. This computer pro- 

30 gram also has a user login code segment to receive a 
user identification, or role, and password from a user 
and login the user when a match is found in the pass- 
word file containing one-way encrypted passwords. Still 
further, the computer program also has a channel mon- 

35 itoring and filtering code segment to monitor and receive 
broadcast or multicast messages within the network and 
display the message to the user when the user's asso- 
ciated privileges permit the viewing of the message. 
[001 1] These and other features of this system, meth- 

40 od and computer program will become more apparent 
from the following description when taken in connection 
with the accompanying drawings which show, for pur- 
poses of illustration only, examples in accordance with 
the present invention. 

45 

Brief Description of the Drawings 

[0012] The foregoing and a better understanding of 
the present invention will become apparent from the fol- 
50 lowing detailed description of exemplary embodiments 
and the claims when read in connection with the accom- 
panying drawings, all forming a part of the disclosure of 
this invention. While the foregoing and following written 
and illustrated disclosure focuses on disclosing exam- 
55 pie embodiments of the invention, it should be clearly 
understood that the same is by way of illustration and 
example only and the invention is not limited thereto. 
The spirit and scope of the present invention are limited 
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only by the terms of the appended claims. 

[0013] The following represents brief descriptions of 

the drawings, wherein: 

FIG. 1 is an example of a wide area network imple- 
mented in a military environment; 
FIG. 2 is a module configuration diagram of the soft- 
ware, firmware, and hardware used in the embodi- 
ments of the present invention; 
FIG. 3 is a flowchart of a user login module used in 
an example embodiment of the present invention; 
FIG. 4 is a flowchart of a password management 
module used in an example embodiment of the 
present invention; 

FIG. 5 is a flowchart of a remote control module 
used in an example embodiment of the present in- 
vention; 

FIG. 6 is a flowchart of a remote auditing module 
used in an example embodiment of the present in- 
vention; 

FIG. 7 is a flowchart of a channel monitoring and 
filtering module used in an example embodiment of 
the present invention; and 
FIG. 8 is a flowchart of an authentication module 
used in an example embodiment of the present in- 
vention. 

DETAILED DESCRIPTION 

[0014] Before beginning a detailed description of the 
subject invention, mention of the following is in order. 
When appropriate, like reference numerals and charac- 
ters may be used to designate identical, corresponding 
or similar components in differing figure drawings. Fur- 
ther, in the detailed description to follow, exemplary siz- 
es/models/ values/ranges may be given, although the 
present invention is not limited to the same. 
[0015] FIG. 1 is an example of a wide area network 
10 implemented in a military environment. However, it 
should be noted that the embodiments of the present 
invention may be implemented and utilized on any com- 
mercial local area network and wide area network. In 
FIG. 1 . a wide area network 10 is shown having various 
military vehicles 30, each of which may contain at least 
one processor-based system used to access the wide 
area network 10. This processor-based system may be, 
but not limited to, a palm computer, personal digital as- 
sistant (PDA), lap-top computer or personal computer. 
In addition to the military vehicles 30, one of these mil- 
itary vehicles 30 has been designated as brigade exec- 
utive officer (Bde XO) vehicle or systems administrator's 
or security officer's (SA/SO) 40 vehicle. This is done to 
indicate that the systems administrator's or security of- 
ficer's computer system may be located on any user ter- 
minal located within a military vehicle 30. Normally, how- 
ever, the SA/SO computer system would be located in 
a structure 50 away from the area of battle. Communi- 
cations between structure 50 and the wide area network 



10 would be through radio frequencies 70 either directly 
or through a satellite 60. Further, any number of subor- 
dinate networks 20 may be contained within wide area 
network 10. 

5 [001 6] As discussed above, the wide area network 1 0, 
shown in FIG. 1, need not be restricted to usage in a 
battlefield environment or to radio communications. The 
wide area network 10 may be a local area network or a 
wide area network used commercially by a corporation 
10 in which communications between nodes is established 
by coaxial cable, fiber optic cable, twisted pair, or any 
other suitable communications method available. Fur- 
ther, any type of packet switching network software 
commercially available may be utilized to establish corn- 
's munications between nodes in the wide area network 
10. Therefore, the present invention is not restricted to 
a military environment and is only restricted by the lan- 
guage of the claims. 

[0017] FIG. 2 illustrates an example of an embodi- 
20 ment of the present invention in which a portion of the 
software, firmware and hardware required to perform 
the specific tasks is illustrated. The blocks illustrated in 
FIG. 2 represent modules, code, code segments, com- 
mands, firmware, hardware, instructions and data that 
25 are executable by a processor-based system(s) and 
may be written in a programming language, such as, but 
not limited, to C++. The discussion provided below is 
directed to a security system used in a local or wide area 
network of computers. However, as would be appreci- 
30 ated by one of ordinary skill in the art, the embodiments 
of the present invention may be used in numerous soft- 
ware applications. 

[0018] Still referring to FIG. 2, a channel monitoring 
and filtering module 1000 is illustrated communicating 

35 to a local password file 1500. The channel monitoring 
and filtering module 1000 includes, but is not limited to, 
operation 650 through operation 710 shown in FIG. 7. 
The channel monitoring and filtering module 1000 is in- 
stalled on each and every user node, computer system, 

40 and military vehicle 30 shown in FIG. 1 . The function of 
the channel monitoring and filtering module 1000 is to 
monitor for and receive broadcast and multicast mes- 
sages within the wide area network 10 and determine 
the privileges or security clearance required by the cur- 

45 rent user of the computer system in order for that user 
to view that particular message. The channel monitoring 
and filtering module 1000 is discussed in further detail 
in reference to the discussion of FIG. 7. 
[0019] Still referring to FIG. 2, a user login module 

50 1200 is provided in order to permit login of users and 
determine the user's privileges and security clearance. 
The user login module displays a login screen to the us- 
er, one-way encrypts the password and determines if 
the local password file 1500 contains a match. The user 

55 login module 1200 includes, but is not limited to, oper- 
ation 100 through operation 200 shown and discussed 
in reference to FIG. 3. 

[0020] Still referring to FIG. 2, a password manage- 
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ment module 1300 is provided to enable updating of all 
local password files 1500 located within the wide area 
network 10. Each and every computer system in the 
wide area network 10 including the systems administra- 
tor's or security officer's computer system contain an 
identical password file. In the case of the systems ad- 
ministrator or security officer the password file is re- 
ferred to as the master password file 1800. The pass- 
word management module 1 300 insures that all compu- 
ter systems in wide area network 10 contain the same 
password file. The password management module 
1300 may also optionally maintain a log of ail computer 
systems that have been updated with the latest version 
of the password file. This password file contains all user 
identifications (Ids) and passwords for all authorized us- 
ers of the wide area network 1 0. it also includes the priv- 
ileges associated with each user and serves to prevent 
non-authorized individuals from accessing privileged 
data. Further, the password file need not be structured 
exclusively by user ID, but may be based on roles or 
titles of authorized users to the wide area network 10. 
Also, the password file, which is both the master pass- 
word file 1800 and the local password file 1500, need 
not necessarily contain the user's privileges since these 
privileges may be contained in a separate file with point- 
ers thereto from the password file. 
[0021] Still referring to FIG. 2. a remote auditing mod- 
ule 1400 is provided in order to monitor and process 
anomalous or other security critical events which may 
occur on a user terminal or military vehicle 30. These 
critical events include, but are not limited to: 

1. A user has exceeded the number of allowable 
unsuccessful login attempts; 

2. Changes that have occurred in the users need to 
know security clearance or role; 

3. A system disable operation was initiated by the 
user; 

4. A user's password has expired; 

5. A message was rejected due to an invalid digital 
signature; 

6. A request for a remote user re-authorization, in- 
itiated by the Security Officer (SO), has been imple- 
mented on the remote user terminal; 

7. A request for a remote user lockout, initiated by 
the SO, has been implemented on the remote user 
terminal; 

8. A request for a remote terminal disable, initiated 
by the SO, has been initiated at the remote user ter- 
minal; and 

9. A request for remotely loading passwords, initi- 
ated by the SO, has completed successfully on the 
remote user terminal. 

When the foregoing and other anomalous events occur, 
the user's computer system may be immediately shut 
down and vital files, such as the password file, may be 
erased. Otherwise, the remote control module 1600 



may be executed so that the systems administrator or 
security officer may take the appropriate action. 
[0022] Still referring to FIG. 2, a remote control mod- 
ule 1600 is provided so that the systems administrator 

5 or security officer may take the appropriate action when 
certain events transpire. Such events may include the 
anomalous events discussed above. In addition to tak- 
ing action in response to the foregoing events, the sys- 
tem administrator or security officer may simply period- 

10 ically or randomly request re-authentication of users on 
user terminals in military vehicles 30. 
[0023] Still referring to FIG. 2, an authentication mod- 
ule 1700 is provided so that upon successful local re- 
authentication by a user, (as an option to the system ad- 

15 ministrator or security officer) the re-authentication is 
checked and confirmed against the master password 
file 1800 stored at the systems administrator's or secu- 
rity officer's computer system. Since the local password 
file 1500 stored in the user's computer system or in a 

20 military vehicle 30 should be identical to the master 
password file 1 800 stored in the systems administrator's 
or security officer's computer system then the authenti- 
cation module 1700 should return a confirmation of the 
user's identity. This is provided so that in the event that 

25 the local password file 1500 has been bypassed, this 
may be detected and further appropriate remote control 
actions taken by the system administrator or security of- 
ficer immediately. 

[0024] FIG. 3 is a flowchart of a user login module 
30 1200 used in an example embodiment of the present 
invention. The user login module 1200 begins execution 
in operation 100 and thereafter immediately proceeds 
to operation 110. In operation 110, a user/role login 
screen is the displayed on the user terminal, computer 
35 system or military vehicle 30. In operation 120, the user 
enters his user ID/role and password. Thereafter in op- 
eration 130, the user password is one-way encrypted. 
One-way encryption is discussed in Stallings, William, 
"Network security essentials: applications and stand- 
40 ards on", Prentice-Hall, ISBN 0-13-016093-8, pages 
282 through 285, herein incorporated by reference. In 
operation 140, using the user ID/role and encrypted 
password received in operation 130, the local password 
file 1500 is accessed. The passwords in the local pass- 
es word file 1500 are also one-way encrypted. Therefore, 
if a match is found, it is based on the comparison of a 
one-way encrypted password with a stored one-way en- 
crypted password. In this way even if the local password 
file 1 500 were to fall into to unauthorized hands, the orig- 
50 inal passwords could not be deciphered. If a match is 
found in operation 150, processing proceeds to opera- 
tion 160. In operation 160, the user's/role privileges are 
accessed. These privileges or security clearance may 
be stored as a bit pattern associated with the user ID 
55 and password in the local password file 1500 or sepa- 
rately in another file. In either case, processing pro- 
ceeds to operation 170 where, based on the privileges 
retrieved, the message set, file set and software asso- 
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elated with this security clearance or privilege are ac- 
cessed. Thereafter, processing terminates for the user 
login module 1200 in operation 180. 
[0025] However, if a match is not found in operation 
150, then processing proceeds to operation 190 in 
which it is determined if this is the third failed attempt at 
logon. If this is not the third failed attempt, then process- 
ing proceeds back to operation 110 where the individual 
is requested to login again. However, if this is the third 
failed attempt at logon, then processing proceeds to op- 
eration 200 where the remote auditing module 1400 is 
executed. 

[0026] FIG. 4 is a flowchart of a password manage- 
ment module 1300 used in an example embodiment of 
the present invention. The password management mod- 
ule 1300 begins execution in operation 250 and imme- 
diately proceeds to operation 260. In operation 260, the 
SA/SO (system administrator/security officer) enters his 
passphrase to decrypt/recover his private key. In oper- 
ation 270, the SA/SQ using the decrypted private key, 
digitally signs a message containing the master pass- 
word file, to be broadcast to all users of the wide area 
network 10. The message is broadcast or multicast to 
the entire wide area network 1 0 or targeted users or mil- 
itary vehicles 30 on the wide area network 10 in opera- 
tion 290. In operation 300, the targeted nodes, users, 
computer systems, or military vehicles 30 authenticate 
the digital signature using the SA/SO public key which 
is stored locally on their systems. In operation 310, it is 
determined if the digital signature has been authenticat- 
ed. If the digital signature has been authenticated in op- 
eration 31 0 then processing proceeds to operation 320. 
In operation 320, the master password file 1800 is in- 
stalled in the local system as the local password file 
1500. Thereafter, in operation 330, a determination is 
made whether the installation was successful. If the in- 
stallation was successful, then processing proceeds to 
operation 340 where the password management mod- 
ule 1000 terminates execution. 

[0027] However, if either the digital signature is not 
authenticated in operation 31 0 which would indicate that 
the local user terminal does not have the proper public 
key for the SA/SO or the installation is determined to be 
unsuccessful in operation 330, then processing pro- 
ceeds to operation 350 where the remote auditing mod- 
ule 1400 is executed. 

[0028] FIG. 5 is a flowchart of a remote control module 
1600 used in an example embodiment of the present 
invention. The remote control module 1600 begins ex- 
ecution in operation 400 and immediately proceeds to 
operation 410. In operation 410, the SA/SO enters his 
passphrase in order to decrypt his associated private 
key. Thereafter, in operation 420, the SA/SO digitally 
signs a challenge message to be delivered to a suspect 
user node using the SA/SO private key. This challenge 
may be caused by any number of events. These events 
may include anything from a random request to re-au- 
thentication to a suspected capture of a military vehicle 



30 by enemy troops. Then in operation 430, the mes- 
sage containing the challenge is transmitted to the tar- 
geted user node, such as a military vehicle 30. Upon 
receipt, in operation 440, of the message, the target 
5 node authenticates the signature using the SA/SO pub- 
lic key. In operation 450, it is determined whether the 
message was authenticated using the SA/SO public 
key. If the signature cannot be authenticated, process- 
ing proceeds to operation 455 where the remote audit- 
to ing module 1 400 is executed. This failure to authenticate 
the digital signature in operation 450 may be indicative 
of an unauthorized user masquerading as the SA/SO. 
Thereafter, processing proceeds to operation 545 
where the remote control module 1600 terminates exe- 
15 cution. 

[0029] However, if the digital signature of the SA/SO 
is authenticated in operation 450, processing then pro- 
ceeds to operation 460. In operation 460, the user/role 
login screen is displayed on the user terminal which may 

20 be located in military vehicle 30. Thereafter, processing 
proceeds to operation 470 where it is determined if a 
timeout has occurred to the user's failure to enter a 
password. If a timeout has not occurred then processing 
proceeds to operation 490. In operation 490, it is deter- 

25 mined whether the password entered by the user is cor- 
rect. If either in operation 470, a timeout condition exists, 
or in operation 490, password is incorrect, then process- 
ing proceeds to operation 480. In operation 480, it is de- 
termined whether this is the third failed attempt by the 

30 user to enter the correct password. If in operation 480 
is determined that this is not the third failed attempt then 
processing loops back to operation 460 where the user 
is once again requested to enter the correct password. 
The selection of three failed attempts to login is strictly 

35 arbitrary and completely up to the discretion of the SAJ 
SO. 

[0030] However, if in operation 480 it is determined 
that this is the third failed attempt at login by the user, 
processing proceeds to operation 51 0. In operation 510, 

40 the remote auditing module 1400 is executed. Thereaf- 
ter, processing proceeds to operation 520 where the SAJ 
SO may escalate the level of control over the user ter- 
minal which may be located in military vehicle 30. The 
SA/SO has at least three options available to him as in- 

45 dicated in operations 530, 535, and 540. However, these 
are a limited number of options illustrated and are not 
exhaustive of all possibilities. In operation 530, the SAJ 
SO may lock the terminal screen, which may be located 
in military vehicle 30, so that the user may only respond 

50 to the login screen in order to re-authenticate his user 
ID and password. Thereafter, processing proceeds to 
operation 420 from operation 530 so that the user may 
receive a challenge message and again attempt to enter 
the correct password in operation 460. However, in op- 

55 eration 460 an indication is supplied that a screen lock 
condition exists and no other functions are permitted. 
Further, the SA/SO, in operation 535, may totally disable 
the user terminal, which may be located in the military 
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vehicle 30. Totally disabling the user terminal would en- 
tail deleting certain files on the users disk drive or mem- 
ory and shutting down the system. In operation 540, the 
SA/SO may decide to spoof the user into believing he 
has successfully logged into the system and wide area 
network 10. Thereafter, in operation 540, the SA/SO 
may provide the user with false information intended to 
mislead the user and this may continue indefinitely. 
When 535 is selected, processing proceeds to operation 
545 where processing terminates for the remote control 
module 1600. 

[0031] FIG. 6 is a flowchart of a remote auditing mod- 
ule 1400 used in an example embodiment of the present 
invention. The remote auditing module 1400 begins ex- 
ecution in operation 550 and immediately proceeds to 
operation 560. In operation 560, an anomalous event is 
detected by the local user terminal which may be in a 
military vehicle 30. The types of anomalous events 
which may occur have been previously discussed and 
will not be repeated here. Thereafter, in operation 570 
this anomalous event is reported to the SA/SO. Then in 
operation 580 the determination is made whether to im- 
mediately shut down the user terminal. This immediate 
shut down would occur when a soldier determines that 
the vehicle is about to be captured and indicates so on 
the terminal. Thereafter in operation 590, the report of 
imminent shut down is reported to the SA/SO. In oper- 
ation 600, selected critical files are erased. Finally in op- 
eration 610, the terminal is shut down. Thereafter 
processing proceeds to operation 620 where the remote 
auditing module 1400 terminates execution. 
[0032] However, if in operation 580 it is determined 
that an immediate shut down is not required then 
processing proceeds to operation 630 where the remote 
control module 1600 is executed. 
[0033] FIG. 7 is a flowchart of a channel monitoring 
and filtering module 1000 used in an example embodi- 
ment of the present invention. The channel monitoring 
and filtering module 1000 begins execution in operation 
650 and immediately proceeds to operation 660. In op- 
eration 660, a message is received by the user terminal 
in military vehicle 30. In operation 670, the user terminal 
identifies the originator of the message. Thereafter, in 
operation 680 the user terminal accesses the local pass- 
word file 1500 in order to retrieve the privileges of the 
user currently logged into the user terminal. Thereafter, 
in operation 690, it is determined whether the current 
user may access and view the message received in op- 
eration 660. If in operation 690 it is determined that the 
current user may view the message received in opera- 
tion 660, then processing proceeds to operation 710 
where the message is displayed to the user. Thereafter, 
whether the user has seen the message or not, process- 
ing proceeds to operation 700 where execution of the 
channel monitoring and filtering module 1000 is termi- 
nated. 

[0034] FIG. 8 is a flowchart of an authentication mod- 
ule 1700 used in an example embodiment of the present 



invention. The authentication module 1700 begins exe- 
cution in operation 740 and immediately proceeds to op- 
eration 750. In operation 750, the user terminal, perhaps 
the military vehicle 30, digitally signs a message, en- 

5 crypting the user password that the user has entered, 
along with the signature authentication data, using the 
SA/SO public key. This SA/SO public key was originally 
installed with the user terminal or downloaded at some 
later date by the SA/SO. The user terminal then trans- 

10 mits the message to the SA/SO. Then in operation 770, 
the SA/SO upon receipt of the message immediately au- 
thenticates the signature, decrypting the user password 
along with the signature authentication data, using his 
private key after entering his passphrase. The ability to 

15 decrypt the encrypted key received is evidence that the 
user has possession of the appropriate public key. 
Thereafter, the password is one-way encrypted in oper- 
ation 780, and in operation 790, the master password 
file 1800 is accessed. In operation 800, if a match is 

20 found in the master password file 1800 then it is deter- 
mined that the user is most likely the authorized user 
and processing proceeds to operation 830 where the 
authentication module 1700 terminates execution. 
[0035] However, if in operation 800 it is determined 

25 that a match does not exist then it may be assumed that 
the local password file 1500 in the user terminal, per- 
haps in the military vehicle 30, has been compromised. 
This assumption may be reached since in order to reach 
this point in processing it would have been necessary 

30 for the user to enter a password contained in the local 
password file 1500 on his terminal perhaps within a mil- 
itary vehicle 30. In operation 810, the SA/SO is alerted 
to this possible compromised password file by the exe- 
cution of the remote auditing module 1400. Thereafter, 

35 in operation 820 the SA/SO may take any action he de- 
termines appropriate. This may include disabling the us- 
er's computer system or engaging in a spoofing opera- 
tion as previously discussed. 

[0036] Using the embodiments of the present inven- 

<o tion, a systems administrator or security officer may 
manage security on a local or wide area network with 
minimal overhead or interference in communications on 
the network. This is accomplished through the use of a 
password file containing one-way encrypted passwords 

<5 that reside on each user computer and is difficult if not 
impossible for someone to decipher. This file containing 
one-way encrypted passwords enables users to log on- 
to any system in the network and have access to soft- 
ware and information that is permitted for their security 

so level and privileges. However, even if the local password 
file is bypassed, the embodiments of the present inven- 
tion can detect this and enable the systems administra- 
tor or security officer to take the appropriate action. Fur- 
ther, the bulk of the processing necessary to effectuate 

55 the embodiments of the present invention takes place 
on the user computer system and has minimal impact 
to the operation of the network. It should be noted that 
all passwords are one-way encrypted and all private 
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keys are encrypted using a passphrase, thereby making 
it difficult to an unauthorized user to access them. Thus, 
no password or private key is stored in the clear so that 
an unauthorized user can access them. 
[0037] While we have shown and described only a few 
examples herein, it is understood that numerous chang- 
es and modifications as known to those skilled in the art 
could be made to the present invention. For example, 
reference has been made to the use radio and micro- 
wave communications, but the embodiments of the 
present invention are not limited to these form of com- 
munications. The embodiments of the present invention 
will operate in any type of local or wide area network 
using anything from twisted pair over the public switched 
telephone network to leased lines as well as coax and 
fiber optic cable. Further, any sort of communications 
software may be used for communications in the net- 
work. Therefore, we do not wish to be limited to the de- 
tails shown and described herein, but intend to cover all 
such changes and modifications as are encompassed 
by the scope of the appended claims. 



Claims 

1. A method of administering access and security on 
a network having a plurality of computers, compris- 
ing: 

installing a one-way encrypted password file on 
each computer of the plurality of computers in 
the network, wherein the one-way encrypted 
password file includes a plurality of user iden- 
tifications, associated one-way encrypted 
passwords and associated privileges for each 
authorised user allowed access to the plurality 
of computers and the network; 
one-way encrypting a password entered by a 
user when the user logs into a computer of the 
plurality of computers on the network; 
checking for a match between the user identi- 
fication and one-way encrypted password en- 
tered by the user and the plurality of user iden- 
tifications and one-way encrypted passwords 
stored in the one-way encrypted password file; 
enabling access to data and software con- 
tained on the computer and the network permit- 
ted by the associated privileges for the user 
when a match is found on the one-way encrypt- 
ed password file; and 

filtering and displaying messages to the user 
permitted by the associated privileges when a 
match is found on the one-way encrypted pass- 
word file. 

2. The method recited in claim 1 , wherein the associ- 
ated privileges contained in the one-way encrypted 
password file indicate the security level and access 



privileges of the user identification for access to 
software, data and messages contained in the com- 
puter, the network, and transmitted over the net- 
work. 

5 

3. The method recited in claim 1 , wherein when one 
or more attempts of the user entering a user identi- 
fication and one-way encrypted password have 
failed to match the plurality of user identifications 

10 and one-way encrypted passwords contained in the 
one-way encrypted password file, the method fur- 
ther comprising: 

transmitting to a systems administrator or se- 
curity officer by the computer a notification of the 

15 failure to provide a one-way encrypted user identi- 
fication and password that matches a user identifi- 
cation and one-way encrypted password stored on 
the one-way encrypted password file. 

20 4. The method recited in claim 3, further comprising: 
locking, upon request by the systems admin- 
istrator or security officer, the computer being ac- 
cessed by the user having at least one failed at- 
tempt at entering a user identification and one-way 

25 encrypted password so as to permit only access to 
a login screen by the user. 

5. The method recited in claim 3, further comprising: 
spoofing, upon request by the systems ad- 
30 ministrator or security officer, the user into believing 
that the access has been gained to the computer, 
wherein spoofing includes the presentation of false 
messages and information to the user 

35 6. The method recited in claim 3, further comprising: 
disabling, upon request by the systems ad- 
ministrator or security officer, the computer system 
so that the user cannot access the computer sys- 
tem. 

40 

7. The method recited in claim 1, further comprising: 

detecting an anomalous event in a computer 
of the plurality of computers; and reporting the 
anomalous event to a system administrator or se- 
45 curity officer. 

8. The method recited in claim 7, wherein the anoma- 
lous event comprises: 

so the user has exceeded the number of allowable 

unsuccessful login attempts; 
a change in the users associated privileges has 
occurred; 

a system disable operation was initiated by the 
55 user; 

a user's password has expired; 

a message was rejected due to an invalid digital 

signature; 
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a request for remote user re-authentication has 
been received by the systems administrator or 
security officer; 

a request for a remote user lockout has been 
received by the system administrator or secu- 
rity officer; and 

a request for remote loading passwords has 
been completed successfully on the system ad- 
ministrator or security officer. 

9. The method recited in claim 7, further comprising: 

deleting a plurality of files on the computer 
and disabling the computer in response to an anom- 
alous event when requested by the system admin- 
istrator or security officer or when an immediate 
shutdown is requested by the user. 

10. The method recited in claim 8, further comprising: 

disabling the computer system, or spoofing 
the user, or locking the computer system when an 
anomalous event occurs. 

11. A system to administer access and security on a 
network having a plurality of computers, compris- 
ing: 

a one-way encrypted password file on each 
computer of the plurality of computers in the 
network, wherein the one-way encrypted pass- 
word file includes a plurality of user identifica- 
tions, assocaited one-way encrypted pass- 
words and associated privileges for each au- 
thorised user allowed access to the plurality of 
computers and the network; 
a user login module to receive a user identifi- 
cation or role and password from a user and 
login the user when a match is found in the one- 
way encrypted password file; and 
a channel monitoring and filtering module to 
monitor and receive broadcast or multicast 
messages within the network and display the 
message to the user when the user's associat- 
ed privileges permit the viewing of the mes- 
sage. 

12. The system recited in claim 11, further comprising: 

a password management module to update 
and insure that all the computers in the network con- 
tain the same one-way encrypted password file. 

13. The system recited in claim 11, further comprising: 

a remote auditing module to monitor and proc- 
ess anomalous events which may occur on the 
computer. 

14. The system recited in claim 13, wherein the anom- 
alous events comprise: 



the user has exceeded the number of allowable 

unsuccessful login attempts; 

a change in the users associated privileges has 

occurred; 

5 a system disable operation was initiated by the 

user; 

a user's password has expired; 

a message was rejected due to an invalid digital 

signature; 

10 a request for remote user re-authentication has 

been received by the systems administrator or 
security officer; 

a request for a remote user lockout has been 
received by the system administrator or secu- 
15 rity officer; and 

a request for remote loading passwords has 
completed successfully on the system admin- 
istrator or security officer. 

20 15. The system recited in claim 11 , further comprises: 
a remote control module to enable a systems 
administrator or security officer to take appropriate 
action when an event transpires, wherein the event 
is an anomalous event 

25 

16. The system recited in claim 15, wherein the appro- 
priate action comprises: 

disabling, upon request by the systems admin- 
30 istrator or security officer, the computer system 

so that the user cannot access the computer 
system; and 

deleting, upon request by a systems adminis- 
trator or security officer, a plurality of files stored 
35 in the computer. 

17. The system recited in claim 11, further comprising: 

an authentication module to re-authenticate 
the user after the user login module has found a 
40 match in the one-way encrypted password con- 
tained in the computer by checking the user identi- 
fication and password against a master password 
file stored in a computer accessible by a systems 
administrator or security officer. 

45 

18. The system recited in claim 12, wherein the pass- 
word management module attaches a master pass- 
word file containing a complete user identifications, 
associated one-way encrypted passwords and as- 

50 sociated privileges to a message, encrypts the mes- 
sage using a private key and passphrase for the 
system administrator or security officer and broad- 
casts the message to all users. 

55 1 9. A computer program executable by a computer and 
embedded in a computer readable medium to ad- 
minister access and security on a network having a 
plurality of computers, comprising; 
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a one-way encrypted password file on each 
computer of the plurality of computers in the 
network, wherein the one-way encrypted pass- 
word file includes a plurality of user identifica- 
tions, associated one-way encrypted pass- 5 
words and associated privileges for each au- 
thorised user allowed access to the plurality of 
computers and the network; 
a user login code segment to receive a user 
identification or role and password from a user 
and login the user when a match is found in the 
one-way encrypted password file; and 
a channel monitoring and filtering code seg- 
ment to monitor and receive broadcast or mul- 
ticast messages within the network and display 
the message to the user when the user's asso- 
ciated privileges permit the viewing of the mes- 
sage. 

20. The computer program recited in claim 19, further 
comprising: 

a password management code segment to 
update and insure that all the computers in the net- 
work contain the same one-way encrypted pass- 
word file. 

21. The computer program recited in claim 19, further 
comprising: 

a remote auditing code segment to monitor 
and process anomalous events which may occur on 
the computer. 

22. The computer program recited in claim 21 , wherein 
the anomalous events comprise: 

the user has exceeded the number of allowable 
unsuccessful login attempts; 
a change in the users associated privileges has 
occurred; 

a system disable operation was initiated by the 
user; 

a user's password has expired; 
a message was rejected due to an invalid digital 
signature; 

a request mode for remote user re-authentica- 
tion has been received by the systems admin- 
istrator or security officer; 
a request for a remote user lockout has been 
received by the system administrator or secu- 
rity officer; and 

a request for remote loading passwords has 
completed successfully on the system admin- 
istrator or security officer. 

23. The computer program recited in claim 21 , a remote 
control code segment to enable a systems admin- 
istrator or security officer to take appropriate action 
when an event transpires, wherein the event is 



anomalous event. 

24. The computer program recited in claim 21, further 
comprising: 

an authentication code segment to re-authen- 
ticate the user login code segment has found a 
match in the one-way encrypted password contain 
in the computer by checking user identification and 
password against a master password file stored in 
a computer accessible by a systems administrator 
or security officer. 
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